Skip to content

ovh/okms-cli

Repository files navigation

okms-cli

build license Go Report Card

The CLI to interact with your OVHcloud KMS services.

NOTE: THIS PROJECT IS CURRENTLY UNDER DEVELOPMENT AND SUBJECT TO BREAKING CHANGES.

Installation

  1. Download latest release
  2. Optionaly check checksums against checksums.txt
  3. Untar / unzip the archive somewhere
  4. Add the containing folder to your PATH environment variable
  5. Check the okms cli documentation

Alternatively, you can pull and run the following docker images ghcr.io/ovh/okms-cli

Prerequisites

  1. Go 1.23
  2. (Optional) In linux, install libpcsc-dev if building with yubikey support enabled

Build

okms cli

# Build the kms cli
$ CGO_ENABLED=0 go build -ldflags="-s -w" ./cmd/okms

# Optionally cross-compile to other targets
# Linux
$ CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" ./cmd/okms
# Windows
$ CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" ./cmd/okms
# MacOS
$ CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" ./cmd/okms

Enable yubikey authentication method

Yubikey support is not built-in by default (for now) as it adds some dynamic dependencies. Both cli tools can be built with yubikey support enabled by running.

$ go build -ldflags="-s -w" -tags yubikey  -o . ./cmd/...

Both Linux and MacOS must have a C compiler installed (either gcc or clang) and available in the path. Compiling on/for Linux also requires to have libpcsclite-dev and pkg-config installed. Running the cli with yubikey authentication on Linux will require the pcscd dameon package to be installed and running.

Usage

In case troubleshooting is required, can enable logging of errors stacktrace by setting the following env variable:

export GO_BACKTRACE=1

okms cli

Checkout the full documentation

Invoke the binary okms[.exe] or run go run ./cmd/okms

$ ./okms --help            
Usage:
  okms [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  configure   Configure CLI options
  help        Help about any command
  keys        Manage domain keys
  version     Print the version information
  x509        Generate, and sign x509 certificates

Flags:
  -c, --config string    Path to a non default configuration file
  -h, --help             help for okms
      --profile string   Name of the profile (default "default")

Use "okms [command] --help" for more information about a command.

Default settings can be set using a configuration file named okms.yaml and located in the ${HOME}/.ovh-kms directory.

Example for omks.yaml:

version: 1
profile: default # Name of the active profile
profiles:
  default:
    http:
      endpoint: https://myserver.acme.com
      ca: /path/to/public-ca.crt # Optional if the CA is in system store
      auth:
        type: mtls # Optional, defaults to "mtls"
        cert: /path/to/domain/cert.pem
        key: /path/to/domain/key.pem

These settings can be overwritten using environment variables:

  • KMS_HTTP_ENDPOINT
  • KMS_HTTP_CA
  • KMS_HTTP_CERT
  • KMS_HTTP_KEY
export KMS_HTTP_ENDPOINT=https://the-kms.ovh
export KMS_HTTP_CA=/path/to/certs/ca.crt
export KMS_HTTP_CERT=/path/to/certs/user.crt
export KMS_HTTP_KEY=/path/to/certs/user.key

but each of them can be overwritten with CLI arguments.